I'm guessing the message from remote to badge is not cryptographically authenticated. So it can't be that hard to program other people's badges, remotely and covertly... how long would it take them to notice?